[MAGNOLIA-1839] can't read anonymous user after a session timeout Created: 14/Nov/07  Updated: 23/Jan/13  Resolved: 15/Nov/07

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 3.5 RC1
Fix Version/s: 3.5 RC1

Type: Bug Priority: Blocker
Reporter: Philipp Bärfuss Assignee: Philipp Bärfuss
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Regarding to a report the anonymous user can't get read after a session timeout of the http session.

Might be that the following happens:

  • the user gets seialized
  • the deserialized user does not return the subject

The reported exception is:

ERROR info.magnolia.cms.security.SystemUserManager 14.11.2007 15:21:11 – Failed to login as anonymous user
javax.security.auth.login.AccountNotFoundException: user anonymous not found
at info.magnolia.jaas.sp.jcr.JCRAuthenticationModule.validateUser(JCRAuthenticationModule.java:79)
at info.magnolia.jaas.sp.AbstractLoginModule.login(AbstractLoginModule.java:189)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at info.magnolia.cms.security.SystemUserManager.getAnonymousSubject(SystemUserManager.java:132)
at info.magnolia.cms.security.SystemUserManager.getAnonymousUser(SystemUserManager.java:111)
at info.magnolia.cms.security.DelegatingUserManager$2.delegate(DelegatingUserManager.java:72)
at info.magnolia.cms.security.DelegatingUserManager.delegateUntilSupported(DelegatingUserManager.java:117)
at info.magnolia.cms.security.DelegatingUserManager.getAnonymousUser(DelegatingUserManager.java:70)
at info.magnolia.cms.security.Authenticator.getAnonymousUser(Authenticator.java:99)
at info.magnolia.context.UserContextImpl.getUser(UserContextImpl.java:66)
at info.magnolia.context.DefaultRepositoryStrategy.getSubject(DefaultRepositoryStrategy.java:77)
at info.magnolia.context.DefaultRepositoryStrategy.getAccessManager(DefaultRepositoryStrategy.java:69)
at info.magnolia.context.AbstractContext.getAccessManager(AbstractContext.java:118)
at info.magnolia.context.MgnlContext.getAccessManager(MgnlContext.java:167)

Then we end up in that

ERROR info.magnolia.cms.security.SystemUserManager 14.11.2007 15:21:11 – Failed to get system or anonymous user [anonymous], will try to create new system user with default password
ERROR info.magnolia.cms.security.SystemUserManager 14.11.2007 15:21:11 – Failed to get system or anonymous user [anonymous], will try to create new system user with default password
ERROR info.magnolia.cms.security.SystemUserManager 14.11.2007 15:21:11 – Failed to get system or anonymous user [anonymous], will try to create new system user with default password
ERROR info.magnolia.cms.security.SystemUserManager 14.11.2007 15:21:11 – Failed to get system or anonymous user [anonymous], will try to create new system user with default password



 Comments   
Comment by Philipp Bracher [ 15/Nov/07 ]

I was able to reproduce the issue by hammering the system:

It ended up in an endles loop in getAnonymousUser() and getAnonymousSubject(). First I will try to remove the recursion on failing.

It looks like the createUserNode is failing because the system realm is null (not set). It might be that the very first exception is caused by the same problem because it ties to read the user in the wrong realm.

Here is the relevant exceptino extract:

INFO info.magnolia.cms.security.MgnlUserManager MgnlUserManager.java(createUser:215) 15.11.2007 11:48:11 can't create user [anonymous]
javax.jcr.PathNotFoundException: /null
at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:297)
at org.apache.jackrabbit.core.NodeImpl.internalAddNode(NodeImpl.java:721)
at org.apache.jackrabbit.core.NodeImpl.internalAddNode(NodeImpl.java:691)
at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:2013)
at info.magnolia.cms.core.DefaultContent.<init>(DefaultContent.java:169)
at info.magnolia.cms.core.DefaultHierarchyManager.createContent(DefaultHierarchyManager.java:208)
at info.magnolia.cms.security.MgnlUserManager.createUserNode(MgnlUserManager.java:246)
at info.magnolia.cms.security.MgnlUserManager.createUser(MgnlUserManager.java:207)
at info.magnolia.cms.security.SystemUserManager.getOrCreateUser(SystemUserManager.java:120)
at info.magnolia.cms.security.SystemUserManager.getAnonymousUser(SystemUserManager.java:110)
at info.magnolia.cms.security.Security.getAnonymousUser(Security.java:69)
at info.magnolia.context.UserContextImpl.getUser(UserContextImpl.java:66)
at info.magnolia.context.DefaultRepositoryStrategy.getSubject(DefaultRepositoryStrategy.java:77)
at info.magnolia.context.DefaultRepositoryStrategy.getAccessManager(DefaultRepositoryStrategy.java:69)
at info.magnolia.context.AbstractContext.getAccessManager(AbstractContext.java:114)
at info.magnolia.context.MgnlContext.getAccessManager(MgnlContext.java:167)
at info.magnolia.cms.security.URISecurityFilter.isAllowed(URISecurityFilter.java:81)

Comment by Philipp Bracher [ 15/Nov/07 ]

it this shows the endless loop:

at info.magnolia.cms.security.SystemUserManager.getOrCreateUser(SystemUserManager.java:120)
at info.magnolia.cms.security.SystemUserManager.getAnonymousUser(SystemUserManager.java:110)
at info.magnolia.cms.security.SystemUserManager.getAnonymousSubject(SystemUserManager.java:126)
at info.magnolia.cms.security.SystemUserManager.getAnonymousUser(SystemUserManager.java:111)
at info.magnolia.cms.security.SystemUserManager.getAnonymousSubject(SystemUserManager.java:126)
at info.magnolia.cms.security.SystemUserManager.getAnonymousUser(SystemUserManager.java:111)
at info.magnolia.cms.security.SystemUserManager.getAnonymousSubject(SystemUserManager.java:126)
at info.magnolia.cms.security.SystemUserManager.getAnonymousUser(SystemUserManager.java:111)
at info.magnolia.cms.security.SystemUserManager.getAnonymousSubject(SystemUserManager.java:126)

Comment by Magnolia International [ 15/Nov/07 ]

Talking about endless loops, there's also a potential one at AbstractContext.getLocale() - probably not related here, but might be worth taking into account when solving this.

Comment by ashapochka [ 15/Nov/07 ]

Per Philipp's endless loop comment, it can be solved by passing anon user name/password explicitly to overloaded getAnonymousSubject I think, and AbstractContext.getLocale() can be overriden in the system context to return Locale.ENGLISH unless the locale is not null.

Comment by ashapochka [ 15/Nov/07 ]

Resolved as described in my preceding comment.

Comment by Magnolia International [ 15/Nov/07 ]

Please use Locale.getDefault() instead

Comment by ashapochka [ 15/Nov/07 ]

seems to be a partial solution only (just for the loop part)

Comment by ashapochka [ 15/Nov/07 ]

> Please use Locale.getDefault() instead

done

Comment by Philipp Bracher [ 15/Nov/07 ]

infinity loop fixed. realm is null save.

Generated at Mon Feb 12 03:30:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.